I am new to GPO etc and have ran the Adobe Customization Wizard 11 to make changes but I can seem to get the "Preference" correct, under Security (Enhanced) Sandbox Protections I need the "Enable Protected Mode at startup" checked and greyed out and the Protected View set to off but not greyed out. I keep getting it backwards. I have added the following to the registry:

Add (Install Value)
    Key: HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown
    Value: bProtectedMode
    Type: REG_DWORD
    Data: 1

But I am not sure what I am doing wrong, where in the customization wizard should the changes be made and to what to get both settings correct?

Thank you in advance for the help.
Answer Summary:
Cancel
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answer Chosen by the Author

0
Do check a gpo admin tmpl that adobe shared
http://www.securesenses.net/2013/03/hardening-adobe-reader-11-using-group.html
It is important to note that computer level settings are actual GP settings. This means that users cannot alter the configuration. Also the settings are reverted to their defaults when policy is removed. User level settings are treated as preferences and as such can be altered by users. Also they do not revert to defaults when GPO is removed.

Security wise we should consider enabling the following settings:

Computer Level>AR>Preferences>Startup: Enable Protected Mode at Startup
and if going into the registry setting which i suggest avoid it if poss, 64 or 32 bit machine has the setting in different loc
http://www.serveradventures.com/the-adventures/disabling-adobe-reader-xi-protected-mode-with-group-policyDisabling "Protected Mode" altogether is pretty simple, we just need to change the following registry key:
64-bit:
Keypath:          HKLM\SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown
Value name:   bProtectedMode
Value type:     REG_DWORD
Value data:     0

32-bit:
Keypath:          HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown
Value name:   bProtectedMode
Value type:     REG_DWORD
Value data:     0

"In Reader 11.0, Protected View is only supported when Protected Mode is enabled. There can be no HKCU or HKLM Protected Mode registry preference set to 0 (off) when Protected View is enabled."

https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/protectedmode.html
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/protectedview.html
Answered 06/22/2015 by: Newbie0000
Orange Senior Belt

Please log in to comment

Answers

Answer this question or Comment on this question for clarity
Nine Simple (but Critical) Tips for Effective Patch Management
This paper reviews nine simple tips that can make patch management simpler, more effective and less expensive.

Share